Dnia 17.05.2025 o godz. 14:23:35 Alessandro Vesely via mailop pisze: > > After a glance at those sites, I still don't understand what's wrong if a > certificate could also be used for client authentication.
There is nothing wrong with using a client certificate for authentication *as such*, but the server cert and client cert functions should be separated. Why? Server cert, like the one obtained from Lets Encrypt, identifies a *server*, not a particular user. Even if you specify a contact email address in the cert request, that address is not verified (as far as I remember), and it is also intended to be a generic administrative address under which the server operator can be contacted, rather than an address identifying a particular user. Client cert, on the other hand, identifies a particular *user*. In our case, the user's identity would be determined by a particular email address. I can totally imagine that Lets Encrypt, besides server certs, *could* issue separate client certs, where you specify your email address in the cert request, and that address is verified eg. by the usual method - you receive a confirmation link in email and you have to click on it. Such a cert would identify a particular email account and could be used to authenticate to the email server (instead of login and password). But these functions should not be mixed in the same cert. -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
